I have reviewed this document (twice now) as part of the security 


directorate's ongoing effort to review all IETF documents being 


processed by the IESG. These comments were written primarily for the 


benefit of the security area directors. Document editors and WG chairs 


should treat these comments just like any other last call comments.






This version does not address the comments I made against the -07 


version, notably:






The document needs to discuss the security considerations surrounding 


the API in your document, as opposed to just pointing to RFC5388.




Nits:
- Sec 3.1.1: add "." to end of last sentence
- Sec 3.4.3.1 and 3.4.3.2: r/- The NAI of the user./The NAI of the user.
- Sec 3.4.5.7: Move description before C code.

spt